Verification of Access Control Policies for REA Business Processes

Access control is a significant aspect of security and constitutes an important component of operating systems, database management systems (DBMS), and applications. Access control policies define which users have access to what objects and operations and describe any existing constraints. These policies are not only different from one organization to another but also change over time, even in a single organization. We examine the integration, not necessarily the inclusion, of these policies into business processes and consider such effects as consistency. Determining the effects of these policies can become difficult because several such policies exist, and taking into account all possible combinations or executions of these policies is tedious and error-prone. In addition, the number of policies usually increases over time and adds to the complexity of analyzing their combinations. It is acknowledged in the literature that what you specify is what you get, but that is not necessarily what you want. To show our approach, we specify certain access control policies for Resource--Event--Agent (REA) business processes and examine the addition and combination of these policies. More specifically, we illustrate the principal of separation of duties (e.g., two separate individuals must authorize ordering items and paying for them). Our main contribution is the verification of access control policies in conjunction with a REA business process.